OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: RainerR on October 07, 2017, 02:35:15 am

Title: IPsec | VPN Client Connection to more then 1 subnet - possible?
Post by: RainerR on October 07, 2017, 02:35:15 am
Hello Community.

First of all, here are the key facts of my project:
After I have enticed the reader of this post to continue reading, here is the essential information about what I want to configure.  ;)

Basically, my configuration works without any problems and has been in operation for about a year.

What exactly does this mean and what does it have to do with the subject of this post?

Right, now it's getting exciting. Currently I can access a subnet via IPsec VPN without any problems.
However, I would like to extend the access to several subnets.

That's the point where I can't move on.
I searched the forum, read the documentation, found some hints, but couldn't find a solution.

Now I have landed in the FUBA (fiddling and tinkering) mode and tested various settings of the IPsec tunnels and the mobile client configuration - so far without success;
Lastly, I had the idea to configure a separate phase-2 entry for each subnet, but that didn't work either.

It would be damn cool if any of you had a solution to my problem.

It would also be cool if someone could tell me if what I'm planning to do is technically possible or not.

Every hint is more than welcome to leave FUBA mode.

If you don't want to answer in english, I am a native german speaker and you can also answer me in german.
Depending on how this post develops, I can write a summary in English and/or German so that other searchers can also benefit from the result.

Best regards,
Title: Re: IPsec | VPN Client Connection to more then 1 subnet - possible?
Post by: mimugmail on October 07, 2017, 06:22:02 am
You could use to tunnel everything through VPN or use OpenVPN for this.
Title: Re: IPsec | VPN Client Connection to more then 1 subnet - possible?
Post by: bartjsmit on October 07, 2017, 08:59:07 am
Large organisations route entire offices through IPSec tunnels, both ways. Your chances of success are excellent.

Your client subnet needs to know a route to the remote subnets and they need to know a route back. If the IPSec routers are not the default gateway on each side, you'll need static routes.

Make sure ICMP is allowed everywhere and do traffic captures to follow the trail through your network. This post will guide you: https://forum.ivorde.com/tcpdump-how-to-to-capture-only-icmp-ping-echo-requests-t15191.html

Title: Re: IPsec | VPN Client Connection to more then 1 subnet - possible?
Post by: franco on October 09, 2017, 11:33:43 pm
Spanning your IPsec over a large network (up to meaning all) works as Michael described, and what Bart said about routing through IPsec is also true as long as you make sure to add proper gateways between your IPsec peers, because if you simply try to reach through a tunnel out of its network mask bounds it will fail as security policies allow it, which is what the former approach works around by extending the bounds.

Another way is to use the advanced settings in phase 2 since OPNsense 17.7.1 and add your manual SPD network entries, a sort of ACL for attached networks, that you allow IPsec to route to even though they are not strictly part of your setup. Well, after adding them they are. ;)